dogfood: importmap vendors server-only @webjsdev/cli via jspm under bun zero-install

[vivek7405]

Problem

On a fresh bun create webjs@latest my-app && bun run dev (cli 0.10.27, Bun 1.3.14), boot logs a vendor error and burns ~437ms on it:

[webjs] could not vendor '@webjsdev/cli@^0.10.27/bin/webjs.js' via jspm (status 401): Error: Invalid status code 503 reading package config for https://ga.jspm.io/npm:@webjsdev/cli@0.10.26/. Backend fetch failed
[webjs] [webjs] analysis warm in 499ms (graph 14, scan 30, gate 0, actions 2, middleware 0, elision 16, vendor 437)

The @webjsdev/cli/bin/webjs.js import is the webjs-bun.mjs zero-install bootstrap (#675: await import('@webjsdev/cli/bin/webjs.js')). The cli is SERVER-ONLY and must never enter the browser importmap / vendor path, yet the vendor tries to resolve it on jspm. It is non-fatal (analysis still warms) but wrong, slow, and alarming, and it is the bulk of the vendor 437ms cost that reads as a slower boot.

Root cause (grounded)

packages/server/src/vendor.js L68 const BUILTIN = new Set(['@webjsdev/core', '@webjsdev/core/']) is the framework-package exclusion that keeps a package OFF the jspm path. It covers ONLY @webjsdev/core, so @webjsdev/cli (and @webjsdev/server, @webjsdev/mcp) are not excluded and leak to jspm. The ^0.10.27 comes from the #700 scaffold ranges feeding the version into the importmap (#699 declaredVendorVersions / vendorImportMapEntries). jspm then 503s reading a server-only cli package config.

Design / approach

Two complementary fixes (do both):

1. Broaden the vendor exclusion so ALL framework-internal server @webjsdev/* packages (cli, server, mcp; core already excluded) are kept off jspm, not just core. Prefer a predicate over the @webjsdev/ scope for the server-only ones rather than a hardcoded core-only Set.
2. Exclude the webjs-bun.mjs bootstrap (a server-only zero-install entry, Zero-install dev/start on Bun via native auto-install (carve from #669) #675) from the BROWSER import graph / vendor scan entirely, since it is never browser-bound. Verify whether webjs-bun.mjs is being swept into entryFiles.

Implementation notes (for the implementing agent)

• Where: packages/server/src/vendor.js (the BUILTIN set at L68, and the two vendor loops at L668 / L1237 that check BUILTIN.has(pkg)); packages/server/src/module-graph.js (entryFiles derivation, transitiveDeps, reachableFromEntries); check packages/server/src/ssr.js for where browser entryFiles are built and whether the root webjs-bun.mjs is included.
• Landmines: @webjsdev/core MUST stay served by the dev server (not jspm), do not break that. @webjsdev/ui components ARE browser-bound (light-DOM custom elements), so they are NOT server-only; exclude only the genuinely server-only framework packages (cli / server / mcp), not ui's browser pieces. Ties to Make the bun zero-install importmap share the server's resolved dep versions #699 (importmap fallback that now resolves declared @webjsdev deps) and Revert scaffold @webjsdev/* + drizzle exact pins to semver ranges (after #698) #700 (ranges that produced the ^0.10.27).
• Connects to the boot-slowness question: confirm removing the bogus @webjsdev/cli jspm resolution drops the vendor analysis time materially.
• Tests + docs: unit test in packages/server/test that the importmap / vendor entries for a bun zero-install app EXCLUDE @webjsdev/cli|server|mcp (counterfactual: they currently leak); a bun-parity assertion if the path is runtime-sensitive; an e2e / smoke that a fresh bun scaffold boots with no jspm vendor error in the log.

Acceptance criteria

• A fresh bun run dev logs NO could not vendor '@webjsdev/...' error.
• @webjsdev/cli, @webjsdev/server, @webjsdev/mcp never appear in the browser importmap / vendor resolution.
• @webjsdev/core stays served by the dev server (unchanged); @webjsdev/ui browser pieces unaffected.
• The vendor analysis time drops (the bogus jspm fetch is gone).
• A counterfactual test proves the exclusion fires.

Relates to #675, #699, #700, #709.